Securing your WordPress site
Just because you are paranoid doesn’t mean they aren’t out to get you.
My phone started getting a rash of incoming email from 2 WordPress sites I had recently launched. The emails were from WordFence, a WordPress security program. WordFence was identifying brute force attacks from Russia, Poland, China and other countries. As it identified the attacks, it locked the IP of the attacker and notified me.
The default settings were to lock the IP for five minutes after 20 incorrect login attempts. I changed that to lock out for one hour, given 7 bad attempts within one hour.
Wordfence has a free and pro version. If you are running a WordPress site, it is imperative to have some type of protection, especially against brute force password attacks. In a worst case scenario, the attackers will get lucky and guess the admin password. Even in a best case scenario, the repeated login attempts consume resources.
A quick look at the logs showed that the hackers had found the two sites and were making repeated attempts to find an admin password.
For more information or to download the plugin, visit the WordFence Plugin Page.
- WordPress – Brute force attacks stopped with the wps-hide-login plugin
- SOLVED – WPS Hide Admin not working after deploying HTTPS in WordPress
- Things to do to stop a brute force attack on a WordPress Blog
- Securing your Joomla admin login from brute force attacks.
- Securing a small office network.
- Compromised WordPress sites are being targeted in a Cryptocurrency mining scheme
- Opening multiple WordPress admin window for sites on a shared host results in high CPU usage.
- Did you forget your adminexile key (Joomla)